Starbuck

Thanks for the input Tootech, Anything that prevents having to do a reinstall is always worth trying. Like i said earlier, the problems aren't malware related.... so let's hope your suggestions can save the day. :)

Thought i recognized the name... bob12a seeing the 3d pics confirmed it. :) I've seen some great pics of yours bob, keep astounding me. http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif

Hi Twiceshy, as always, i'll explain afterwards why i asked questions. ( it's just my way) The system recovery on your laptop gives us 3 options: Non-destructive recovery: this option will restore Windows, supplied applications, and drivers. This option will not destroy your documents or programs. These will be backed up along with the registry. These are restored at the end of the recovery process. System Recovery - No format: this will reinstall Windows, supplied applications and drivers. It will move your files to a folder called "My old disk structure". Any applications (except those supplied) will need to be reinstalled. System Recovery - Quick format: this option will erase your hard drive including your personal files. Windows, supplied applications and drivers will be reinstalled. I'm trying to think of the best option for you. Something isn't right and from what i can see, your best option is to go with the 'System Recovery'. I don't say this lightly, it's always a last resort option as far as i'm concerned. In 2 years of doing this, i've only recommended this a handful of times. But like i say, i'm trying to think of the best recovery option for you. Take a look at the options and let me know which you would prefer. Some options will require discs to add programs back. At the end of the day, i don't want you to lose any programs if it can be avoided.

Nice one http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif Together we can beat this, let's not let the bad guys win. Post the report as soon as you have it, i'll be waiting.

Hi Dave and welcome to Free Pc Help. i've provided help on MSN before and it can be a pain. Helping on forums like this is a lot easier and more people can learn from the answers and help.

If you just perform a reinstall of the OS, there's a good chance the malware will still be on the system. If you reformat and then reinstall ... everything will be wiped out, including the malware. Be careful what you backup first, just in case the malware is in any of the files/folders you are backing up. especially if it arrived after downloading files from a P2P program.

Hi and welcome to ExtremeTech.support - Free PC Help

Hi shaunyboy and welcome to FreePcHelp, you are right to be concerned. If we see these trojans before cleaning takes place, this would be our first reply: Some browser hijackers and downloaders have been/are active on your computer. It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation. Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. For more information read ....Here If you choose to format and reinstall read...... Here Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again. As always.... it's your call. I'm just trying to be honest with you.

To be honest, i think we can forget about all the possible Remote Assistance and Remote Desktop theories. I just can't see this being the cause in your case. To go through all the trouble to access your system, download something from limewire and then just leave it on your system!! no, it doesn't add up. Someone that has access to your system has done this, so they can watch the porn .... and then has just left it there. ( probably so they could return and watch it again) Follow the steps in post #5 and i'll take a look and make sure nothing bad is on the system and also make sure any p2p programs are nuked.

Hi Twiceshy, No problem, we don't need him now. Spot on. :) Ok, now we can relax a bit. Your Advent computer uses the latest recovery system that doesn't require any CDs or DVDs to restore your PC to it's original factory condition. It's all pre-installed. Let's see if this will help with your windows updates, if not..... it looks like we'll have to go for the system recovery. You're gonna love this: http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif Download Dial-a-fix from: Link 1 Link 2 Download to your desktop http://img.photobucket.com/albums/v708/starbuck50/DAF1.png Unzip the files to a folder of your choice Right click on the downloaded zip file and select 'Extract'. Note the new folder location: Open that folder and Double click the gear wheel http://img.photobucket.com/albums/v708/starbuck50/new%20forum/daf4.png Check the "Fix Windows update" box http://img.photobucket.com/albums/v708/starbuck50/new%20forum/daf2.png Clicking the "Flush Softwaredistribution" button is optional: Click "Go" - bottom left corner http://img.photobucket.com/albums/v708/starbuck50/new%20forum/daf3.png Let it run Restart your pc Try the windows updates again Delete or uninstall Dial-a-fix Also a 'how-to' here: http://wiki.djlizard.net/Dial-a-fix Let me know how it goes. Btw: you have MS office 2007 installed, do you have the disc for this? It wouldn't normally have come with Windows XP.

so what did your friend use to reinstall the OS? Or is there a reinstall partition on the hard drive? What is the make and model of your laptop?

Hi Twiceshy, If you haven't lost your sense of humour.... all is not lost. :) I'm thinking that maybe the reinstall wasn't completed properly. When you had the laptop, did you get the windows installation disc? also was there any separate discs which contained extra drivers? In other words.... what discs did you get with the laptop? also: Have you still got the disc that came with the BT home Hub?

Hi borojamie, Hopefully all is not lost, the good news is that you have access to another system. You don't mind mind a little work do you? :) Quick explanation: If we make a bootable disc and boot your system up using this... we can bypass the malware and get a report off the infected system. You then transfer the report to the usb stick, and then send the report from the other system. You will also be able to get any files etc you want off the system at the same time.... sound good? OK this file is big... print these instruction out so that you know what you are doing Two programmes to download First ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions Second Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is approx 280Mb in size so it may take some time to download. When downloaded double click and this will then open ISOBurner to burn the file to CD Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :) Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy Double-click on the OTLPE icon. Select the Windows folder of the infected drive if it asks for a location When asked "Do you wish to load the remote registry", select Yes When asked "Do you wish to load remote user profile(s) for scanning", select Yes Ensure the box "Automatically Load All Remaining Users" is checked and press OK OTL should now start. Change the following settings. Change Drivers to All Change Registry to All Under the Custom Scan box paste this in: %SYSTEMDRIVE%\*.* /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys /md5stop %systemroot%\*. /mp /s %systemroot%\System32\config\*.sav Press Run Scan to start the scan. When finished, the file will be saved in drive C:\OTL.txt Copy this file to your USB drive if you do not have internet connection on this system. Right click the file and select send to : select the USB drive. Confirm that it has copied to the USB drive by selecting it You can backup any files that you wish from this OS Please post the contents of the C:\OTL.txt file in your reply.

Hi sercher70 and welcome. I've moved your post to it's own thread as this is always easier to reply to individuals.

Hi Twiceshy, That's fine, if you are unsure of anything..... always ask. The 'Hosts' .... is actually inside a folder called 'Etc', you will need to open that first: C:\Windows\System32\drivers\etc\Hosts after you open the 'system32' folder... click on the 'Drivers' folder to open it ..... then click on the 'etc' folder. You should then see the 'Hosts'.

mmm flattery will get you everywhere :) Ok, you talked me into it. :p Ok, let's review what we have... or what we know. Normally malware will try and stop sites like this, but we see no evidence of malware. Router has been reset, so that's not the problem. We've reset your hosts file, so that shouldn't be the problem. mmmmm ... thinking heavily here. Right, we have 3 options: Check for rootkits, just incase there is something hiding.... but i doubt it. Manually look at your hosts file, just incase something has added Microsoft to it. Normally bad sites are added to the file, so when you try to go to a bad site it redirects you back to your own computer. ... worth a try. You can also add an allowed site to the hosts file.... worth trying. Try to reset all your windows update files on your system ... in case one is corrupt or missing. Let's try 2 and 3 first: You're going to be good at all this by the time we have finished. :D Step 1 Make sure that you can see hidden files. Click Start. Click My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Uncheck the Hide file extensions for known file types. Click OK. Navigate to the following folder: C:\Windows\System32\drivers\etc\Hosts This means, from 'my computer', click on the 'C' drive >>> then click on 'Windows' >>> then 'System32' folder >> .... until you get to 'Hosts'. Now right click on 'Hosts' and select 'open with' ..... select notepad. Copy and paste the contents in your next reply. Do that first, then we'll move on to resetting all your windows updates files.

See, the fog is clearing already. :p It's ok, for a beginner you have had a lot of work to do. The reason i wanted to be sure about your router, is that i can find no malware on your system. But i don't know exactly what malware was on there before your friend reinstalled everything. Some malware actually infects the router. So if you are still having problems after we have found nothing, this would be the next place to check. It's normally a case of just resetting the router. Some routers need to be reset a little different to others, so i wanted to make sure what you was actually using. This is what i've found: If you would prefer to speak to BT and get them to walk you through it, then by all means do that. If you are still experiencing problems with the connection after that, i suggest you post about the problem here: Networking Networking isn't really my field and the guys there will have a lot more experience than i do. To clear the programs etc we have asked you to download, follow this instruction: Please double-click OTL.exe to run it. You should see a CleanUp! button, press that button, http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png This will remove any programs we have asked you to download along with there associated folders.. plus itself. If you have any questions feel free to ask, i'll keep an eye on this thread.

Hi yumyumcookie, I've never heard of Limewire downloading things by it'self. Neither have i heard of a trojan downloading from Limewire on it's own before. Malware doesn't normally give you something for free, it's normally there to take something from you. It's common for some malware to give you popups to porn sites and try to get you to click on these links. This is a puzzling situation. If you want me to check your system for malware, i'd be happy to. Just follow the steps below and let me have the reports: Step 1 Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Step 2 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check . . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: MBAM scan report Both reports from OTL Thanks.

Here we go again Twiceshy, Can you see the confused look on my face? :confused: a BT Home Hub is a modem and router in one. It doesn't need anything else. Is this what you are using: BT Home Hub Explored do you get your broadband connection from BT? what is 'Wirefree'? ... or do you mean wireless?

Hi borojamie, At the moment McCrappy is just that. It's not doing anything... you are severely infected, so let's see if we can shut it up for awhile. To disable your McAfee security programs please refer to the clip below. http://img.photobucket.com/albums/v666/sUBs/mcafee_disable.gif If you manage to shut McAfee up, please try the download/instructions for exehelper again. Have you tried uninstalling McAfee? Also can you let me know if you have access to another system, so that we could download something to that and then transfer it to the infected system by way of usb stick?

Hi Twiceshy, Yep, you're getting good at this now. :) Report tells us that nothing of the old infection remains, so the problem isn't there. Question: Do you have a router/modem ( in one) or are they separate?

Ok, so it would seem that it's not only Microsoft that is blocked. Not to worry, we're not out of ideas yet. :cool: I'm beginning to think that maybe the hard drive wasn't reformatted. If this is the case, there may be remnants of "SECURITY TOOLS" on the system. Let's see if this throws up anything. Please download exeHelper to your desktop. If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan) Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ). Btw: do you only have the one pc/laptop?or do you have another one you have access to?

Hi Twiceshy, That's ok then. The reason we add: is because, if it was there, we would need to change it. As that option isn't there, just carry on with the other instructions:

It's ok, it's just a glitch ... the author has to fix that. Java 6 Update 18 is the latest version. Btw: you can just right click on the 'Security Check' icon and select delete. It doesn't actually install on your system.

Hi Twiceshy You won't get rid of me that easily. :p If the system had been reformatted and then a reinstall done, you shouldn't have any problems at all.... as everything would be as new. But it seems as though 'Microsoft' sites are being blocked. This would normally point to malware, possibly altering the hosts file. Let's get the hosts file reset and then run a malware scan and see if anything is on the system..... but after a reformat/reinstall there shouldn't be. Step 1 Download HostsXpert.zip Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert Double-click HostsXpert.exe to run the program. Click "Make Hosts Writable?" in the upper left corner (Only If available). Click "Restore Microsoft's Hosts file" and then click "OK". Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Step 2 Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. In your next reply, please submit: MBAM scan report. Thanks.